E-mails have become indispensable communication media in the corporate environment. Whether it's orders, shipping confirmations or contract negotiations, many things are done digitally. Where letters and documents used to be sent by post, it is now e-mail that fulfills this purpose. And it does so much faster.
In the early days of e-mail communication, transmission usually ran openly, unencrypted and readable by anyone who had access to a system in the transmission chain. It is therefore often compared to the postcard, which can also be read by anyone in transit.
Today, the situation has already improved somewhat. Many mail servers use a transport encryption (TLS) to secure the communication between the individual server systems. But there are still many places where the contents of your e-mails are transmitted or stored unencrypted. We would be happy to help you implement a secure email solution.
The following is a brief overview of the current options.
Generally, email encryption and email signature offer three key benefits:
Encryption allows you to ensure that content is only accessible to the person for whom it is intended. Only the intended recipient can access the content with their key.
E-mails cannot be manipulated in this way either. As soon as a change of the content has taken place on the transmission path, the e-mail becomes unreadable. If you receive an intact encrypted e-mail, you can be sure that the content has not been changed either.
You can assume that the specified sender is really the sender of the encrypted email. Because with a digital signature you can effectively prevent the forgery of a sender email address (spoofing).
There are different types of encrypted email transmission. The techniques differ depending on the location and communication partner.
Transport encryption is used between mail servers. Here, the mail servers take care of it independently and negotiate the appropriate encryption with the communication partner. A Mitlesen the email content on the transmission path is thus prevented, as long as the encryption is continuous. There are still older or incorrectly configured servers that do not support such encryption. In this case, the transmission is carried out unencrypted.
In end-to-end encryption, the entire communication path from sender to recipient is encrypted end-to-end. To ensure this, the sender and the recipient must have the necessary information (public key/private key). Since this type of encryption is continuous from the sender to the recipient and these two communication partners take care of it themselves, this can also replace a missing transport encryption.
Two techniques for e-mail encryption have become established. Both methods use an asymmetric encryption method and offer similar functions.
With S/MIME (Secure / Multipurpose Internet Mail Extensions) you use certificates for encryption and decryption. You get the certificates from a certification authority. When selecting the appropriate certificate authority, you should make sure that it is also accepted by the common mail systems. S/MIME is already supported by most e-mail programs.
Note: When choosing a certification authority, make sure that your private key is created on your system and that the issuer does not know this key. This is standard with reputable providers.
As with S/MIME, with PGP you also have a key pair consisting of a private and a public key. With PGP, you have the option of generating this key pair yourself, since there is no central authority (certification authority) that generates these keys here. To use PGP in your e-mail program, you often need a suitable plugin.
Important: Also back up keys that have already expired. This is the only way you can still access old and encrypted emails later. Even if you will no longer encrypt or sign emails with an old key, you will still need it to decrypt the email formerly encrypted with that key.
Encrypting email and protecting email content is an important step in keeping confidential information private and preventing data leakage to unauthorized third parties. To robustly secure your email communications, you should generally implement the following five techniques as an email provider within your organization:
The TLS encryption (Transport Layer Security) resorts to a procedure with which the communication between the mail servers is encrypted. This can prevent eavesdropping on the communication.
SPF (Sender Policy Framework) is a TXT record in your DNS server that determines which servers are allowed to send email under your name.
DKIM (DomainKeys Identified Mail) provides your emails with a digital signature. The public key required by the recipient for verification is located as a TXT record in your DNS server.
With DMARC (Domain based Message Authentication, Reporting and Conformance) you instruct the recipient how to deal with emails that fail one of the two checks mentioned above (SPF, DKIM). Like SPF and DKIM, DMARC is also defined via a TXT record in DNS.
To ensure that the certificates used for transport encryption are also legitimate, DANE (DNS-based Authentication of Named Entities) helps. Here, properties of the certificate used are stored in a TLSA record and secured using DNSSEC. Further information on this can also be found in a technical guideline (TR-03108 Secure E-Mail Transport) issued by the German Federal Office for Information Security (BSI).